Why Is NSO Group Asserting Sovereign Immunity in WhatsApp Litigation?

On April 2, private surveillance company NSO Group filed a motion to dismiss WhatsApp’s lawsuit over the alleged hacking of 1,400 cellphones running the WhatsApp application. Among the laundry list of arguments made by NSO Group, the most salient was the surveillance company’s contention that its business with foreign governments entitled it to immunity from suit in U.S. court. WhatsApp, the end-to-end encrypted messaging application owned by Facebook, filed its opposition brief shortly after, challenging NSO Group’s theories for immunity.

NSO Group’s briefs attempt to claim foreign sovereign immunity in two distinct ways. First, NSO Group pairs the Foreign Sovereign Immunities Act (FSIA), the law that limits whether a foreign state can be sued in U.S. court with Federal Rule of Civil Procedure 19 (Rule 19), the rule that governs the joinder of parties in civil lawsuits. The brief suggests that, together, these provisions disqualify this lawsuit entirely. According to NSO Group, permitting this lawsuit to continue would prejudice the interests of NSO Group’s sovereign clients who are immune from suit under the FSIA. Second, as a fallback, NSO Group asserts immunity for itself. NSO Group argues that it enjoys common law derivative immunity as the agent of sovereign governments that allegedly purchased its Pegasus malware and then used NSO Group services to spy on WhatsApp users.

NSO Group also appended to its motion to dismiss a short statement by CEO Shalev Hulio that was meant to demystify both its company policy and its relationship to sovereign clients. According to Hulio, NSO Group conditions the use of its Pegasus malware on an agreement that its “government customers” will not use the technology for “human right violations” but, instead, for law enforcement purposes and for combating terrorism. Further, Hulio denied that NSO Group manages the operation of its Pegasus technology once the software has been licensed to its clients, explaining that NSO Group offers only “technical support” and does so “entirely at the direction of their government customers.”

Though NSO Group has yet to name any of its sovereign clients, this statement by Hulio fits thematically with the foundational claim being made in NSO Group’s briefs: We didn’t hack WhatsApp; our clients did. This claim supports both of NSO Group’s immunity theories—first, that NSO Group’s foreign sovereign clients are indispensable to the resolution of this case; and, second, that any hacking attributable to NSO Group was at the direction of its sovereign customers.

NSO Group never actually asserts sovereign immunity for itself under the FSIA. Indeed, any claim to derivative immunity for NSO Group under the FSIA, 28 U.S.C. §§ 1602-1611, is a nonstarter. Only foreign states and their “agenc[ies] or instrumentalit[ies]” qualify for immunity under the FSIA. Section 1603(b) of the FSIA defines an “agency or instrumentality of a foreign state” as an entity:

which is a separate legal person, corporate or otherwise, and

which is an organ of a foreign state or political subdivision thereof, or a majority of whose shares or other ownership interest is owned by a foreign state or political subdivision thereof, and

which is neither a citizen of a State of the United States as defined in section 1332 (c) and (e) of this title, nor created under the laws of any third country.

The two parties agree that NSO Group fails to meet the second prong of this definition—it is “a for-profit commercial company” that is neither an organ of nor owned by a foreign state.

Rather, NSO Group introduces the FSIA in service of another tactic altogether. NSO Group argues that including its clients—sovereign governments that purchased NSO malware—is necessary to this case, where their absence disqualifies the lawsuit. Here’s how that tactic is meant to play out: First, NSO Group argues that it did not hack WhatsApp; its sovereign clients did. Second, since sovereign governments caused WhatsApp’s alleged injuries, they are required parties to this lawsuit. Third, as required parties, WhatsApp must join these governments to the lawsuit under Rule 19. Fourth, if the governments must be joined as required parties, but are immune under the FSIA (and thus are immune from suit in U.S. courts), then the entire lawsuit should be dismissed because a judgment in their absence will be prejudicial.

As NSO Group notes in its reply brief, Republic of Philippines v. Pimentel, a case where the Republic of the Philippines was interpled in order to resolve its claim to disputed assets, lends some support to such an argument. Under Pimentel precedent, NSO Group correctly recognizes that “a case may not proceed when a required-entity sovereign is not amenable to suit.”

Nevertheless, its reliance on Pimentel is wanting.

First, NSO Group is a long way from proving that its government-clients are required parties under Rule 19(a)(1). NSO’s clients would be required parties only if excluding them would give WhatsApp insufficient relief, or if excluding the sovereign clients would prevent them from protecting some interest they may have in the lawsuit. Though NSO claims that WhatsApp’s complaint seeks to enjoin its clients, WhatsApp was clear in their opposition brief that they only seek relief from NSO Group. Further still, NSO Group has yet to name any of its sovereign clients or describe the nature of their interests in this lawsuit. And given that NSO Group was allegedly facilitating covert state espionage, it seems unlikely that NSO Group will name its sovereign clients.

Second, NSO Group is gaming Rule 19 and the Pimentel precedent—the court might view this unfavorably. In Pimentel, the Republic of the Philippines was named in the suit from the very beginning. It then asserted sovereign immunity under the FSIA for itself, a sovereign nation. Here, NSO Group (the defendant) appears to be pulling sovereign governments into the fray in order to use their immunity as a shield where WhatsApp, under the most probable reading of their original complaint, has not named these governments. Considering these factors, the court may well find NSO Group’s intertwined FSIA and Rule 19 argument to be too clever by half.

Derivative Immunity Under Common Law

NSO Group also asserts that it may enjoy derivative immunity, not under the FSIA, but under common law. As both parties recognize, claims of common law derivative immunity are relatively commonplace for domestic contractors working with the U.S. government. But the law is murkier where common law derivative immunity is asserted by a private company working in service of foreign governments.